INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Fixes Two Exploited Vulnerabilities
Published: 2024-11-19.
Last Updated: 2024-11-19 21:56:52 UTC
by Johannes Ullrich (Version: 1)
Today, Apple released updates patching two vulnerabilities that have already been exploited. Interestingly, according to Apple, the vulnerabilities have only been exploited against Intel-based systems, but they appear to affect ARM (M"x") systems as well.
CVE-2024-44308
A vulnerability in JavaScriptCore. It could be triggered by the user visiting a malicious web page and may lead to arbitrary code execution.
CVE-2024-44309
This vulnerability affects WebKit. A vulnerability in the cookie management system may lead to cross-site scripting. The description is sparse, but it may indicate that an attacker could set a malicious cookie that will inject JavaScript or HTML into a web page.
Patches have been released for Safari and all of Apple's operating systems (including iOS/iPadOS/VisionOS, which is not used on Intel-based systems).
https://isc.sans.edu/diary/Apple+Fixes+Two+Exploited+Vulnerabilities/31452/
Exploit attempts for unpatched Citrix vulnerability
Published: 2024-11-18.
Last Updated: 2024-11-18 05:59:56 UTC
by Johannes Ullrich (Version: 1)
illustration showing citrix logo on top of exploit code.Last week, Watchtowr Labs released details describing a new and so far unpatched vulnerability in Citrix's remote access solution (https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/). Specifically, the vulnerability affects the "Virtual Apps and Desktops." This solution allows "secure" remote access to desktop applications. It is commonly used for remote work, and I have seen it used in call center setups to isolate individual workstations from the actual desktop. The Watchtowr blog describes it as:
"This is a tech stack that enables end-users (and likely, your friendly neighbourhood ransomware gang) to access their full desktop environment from just about anywhere, whether they’re using a laptop, tablet, or even a phone."
One fundamental problem with this solution is that all desktops run on the same server, and a privilege escalation vulnerability will not just "root" the particular desktop, but the server and all sessions connected to it.
Citrix also includes the ability to record sessions and store these recordings for an administrator to review. Sadly, the review process uses a .Net function subject to deserialization vulnerabilities. Watchtowr published sample exploit code on GitHub. The exploit is triggered without the need to authenticate first.
So here is a sample exploit I have seen today ...
Read the full entry: https://isc.sans.edu/diary/Exploit+attempts+for+unpatched+Citrix+vulnerability/31446/